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Abstract 


Specification  languages  for  concurrent  software  systems  need  to  combine  practical  al¬ 
gorithmic  efficiency  with  high  expressive  power  and  the  ability  to  reason  about  both 
states  and  events.  We  address  this  question  by  defining  a  new  branching-time  tem¬ 
poral  logic  SE-A1?  which  integrates  both  state-based  and  action-based  properties. 
SE-A17  is  universal,  i.e.,  preserved  by  the  simulation  relation,  and  thus  amenable  to 
counterexample-guided  abstraction  refinement.  We  provide  a  model-checking  algo¬ 
rithm  for  this  logic,  and  describe  a  compositional  abstraction-refinement  loop  which 
exploits  the  natural  decomposition  of  the  concurrent  system;  the  abstraction  and  refine¬ 
ment  steps  are  performed  over  each  component  separately,  and  only  the  model  checking 
step  requires  an  explicit  composition  of  the  abstracted  components.  For  experimental 
evaluation,  we  have  integrated  the  presented  algorithms  in  the  software  verification  tool 
MAGIC,  and  determined  a  previously  unknown  race  condition  error  in  a  piece  of  an 
industrial  robot  control  software. 
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1  Introduction 

The  practical  effectiveness  of  model  checking  is  characterized  by  a  trade-off  between 
the  expressive  power  of  the  specification  formalism  and  the  complexity  of  the  corre¬ 
sponding  model  checking  algorithm.  For  software  verification,  this  problem  is  even 
more  acute,  since  software  is  harder  to  specify,  and  state  explosion  is  exacerbated  by  the 
concurrent  execution  of  multiple  components.  The  expressive  power  of  temporal  logics 
such  as  CTL  or  LTL  is  quite  limited  when  it  comes  to  specifying,  e.g.,  the  periodicity 
of  events.  The  last  decade  has  seen  several  attempts  at  extending  the  expressiveness  of 
temporal  logics  [8,  32,  30,  31,  29,  13].  Recently,  Clarke  et  al.  [11]  have  investigated 
a  family  of  universal  branching  logics,  called  Afl,  which  are  extensions  of  ACTL  by 
sets  fl  of  ^'-regular  path  operators.  A  subtle  property  of  Afl  is  the  monotonicity  of 
the  path  operators:  the  semantics  guarantees  that  the  extended  path  operators  cannot  be 
used  to  implicitly  define  negation.  While  this  property  comes  for  free  with  the  stan¬ 
dard  temporal  path  operators,  its  presence  is  crucial  for  obtaining  extended  universal 
branching  logics.  Such  logics  are  preserved  by  simulation,  and  are  therefore  amenable 
to  existential  abstraction  [9,  11]. 

Another  shortcoming  of  standard  temporal  logics  stems  from  the  fact  that  for 
the  verification  of  concurrent  software  conducted  at  the  source  code  level,  one 
needs  to  specify  both  state  information  (program  counter  location,  memory  contents) 
and  communication  among  components.  For  example,  the  Bluetooth  L2CAP  spec¬ 
ification  [14]  asserts  that  “when  an  L2CAP_ConnectRsp  event  is  received  in  a 
W4_L2CAP_CONNECT_RSP  state,  within  one  time  unit,  an  L2CAP  process  may  send 
out  an  L2CA_ConnectInd  event,  disable  the  RTX  timer,  and  move  to  state  CON¬ 
FIG.”  As  this  example  shows,  both  states  (W4_L2CAP_CONNECT_RSP  and  CONFIG) 
and  events  (L2CAP_ConnectRsp  and  L2CA_ConnectInd)  are  required  to  properly 
capture  the  desired  L2CAP  behavior. 

Generally,  in  concurrent  programs,  communication  among  modules  proceeds  via 
actions  (events)  which  can  represent  function  calls,  requests  and  acknowledgments,  etc. 
These  communications  can  be  data  dependent  and  carry  data  on  its  channels.  Existing 
model  checking  techniques  typically  use  either  state-based  or  event-based  formalisms 
to  represent  finite-state  models  of  programs.  In  principle,  both  frameworks  are  inter¬ 
changeable:  an  action  can  be  encoded  as  a  change  in  state  variables,  and  likewise  one 
can  equip  a  state  with  different  actions  to  reflect  different  values  of  its  internal  variables. 
Neither  approach  on  its  own  is  practical,  however,  when  it  comes  to  the  specification  of 
data-dependent  communication  claims:  considerable  domain  expertise  is  then  required 
to  annotate  the  program  and  to  specify  proper  specifications  in  temporal  logic. 

In  this  paper,  we  define  the  specification  logic  SE-AJ?  which  combines  the  high 
expressive  power  of  Ail  with  the  ability  to  specify  states  and  events  simultaneously. 
The  hybrid  state/event-based  semantics  of  SE-AJ?  allows  us  to  represent  both  software 
implementations  and  specifications  directly  without  program  annotations  or  privileged 
insights  into  program  execution.  Note  that,  for  example,  there  is  no  natural  generic  ex¬ 
tension  of  standard  operators  such  as  U  (until)  to  a  state/event  based  framework  (see, 
e.g.,  [18]);  SE-AJ2,  however,  enables  us  to  employ  different  variants  of  CTL  opera¬ 
tors  for  actions  and  data  valuations  simultaneously  at  no  additional  expense.  Notwith¬ 
standing  its  high  expressive  power  and  versatility,  SE-AJ?  lends  itself  naturally  to  an 
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efficient  verification  strategy  which  combines  counterexample-guided  abstraction  re¬ 
finement  (CEGAR  [20,  7])  and  compositional  reasoning:  starting  with  a  coarse  initial 
abstraction,  our  CEGAR  scheme  computes  increasingly  precise  abstractions  of  the  tar¬ 
get  system  by  analyzing  spurious  counterexamples  until  either  a  real  counterexample 
is  obtained  or  the  system  is  found  to  be  correct.  More  precisely,  given  a  system  M 
composed  of  n  concurrent  components  Mi, . . . ,  Mn,  and  a  SE-A17  specification  p,  the 
verification  of  M  |=  p  proceeds  as  follows: 


1.  Abstract.  Create  an  abstraction  M  such  that  all  behaviors  of  M  are  preserved  by 
M.  This  is  done  component-wise  without  constructing  the  full  state  space  of  M. 

2.  Verify.  Verify  whether  M  |=  p.  If  so,  report  success  and  exit.  Otherwise,  extract 
an  abstract  counterexample  C  that  indicates  in  which  way  p  fails  in  M. 

3.  Refine.  Check  whether  C  gives  rise  to  a  real  counterexample  over  M.  If  C  corre¬ 
sponds  to  a  genuine  behavior  of  M  then  report  a  failure  along  with  a  fragment  of 
each  Mj  that  illustrates  why  M  ¥  p.  If  C  is  spurious,  on  the  other  hand,  refine  M 
using  C  to  obtain  a  more  precise  abstraction  and  repeat  from  step  1 .  This  refinement 
step,  like  the  initial  abstraction,  is  performed  component-wise. 


Of  the  three  steps  in  this  abstract-verify-refine  process  only  the  verification  stage  of 
our  technique  requires  the  explicit  composition  of  a  system.  The  other  stages  can  be 
performed  one  component  at  a  time.  Since  verification  is  performed  only  on  abstrac¬ 
tions  (which  are  usually  much  smaller  than  the  corresponding  concrete  systems),  our 
verification  approach  is  able  to  significantly  reduce  the  state  space  explosion  problem. 
Another  key  characteristic  of  our  algorithm  is  that  the  verification  step  handles  both 
states  and  events  directly ,  i.e.,  without  conversion  into  either  a  pure  state-based  or  a 
pure  event-based  framework.  The  model  checking  is  therefore  significantly  more  ef¬ 
ficient  than  alternative  conversion-based  approaches,  since  it  has  been  observed  that 
conversion  can  lead  to  a  quadratic  blowup  in  both  time  and  space  even  for  reachability 
properties  [2], 

Note  that  the  universality  of  SE-Ai?  is  crucial  for  the  correctness  of  our  approach, 
and  that  the  verification  step  uses  automata  theoretic  methods  to  evaluate  the  u; -regular 
path  operators. 

To  the  best  of  our  knowledge,  this  is  the  first  counterexample-guided,  compositional 
abstraction  refinement  scheme  to  perform  verification  of  branching-time  specifications. 
We  have  implemented  our  approach  in  our  C  verification  tool  MAGIC  [22]  which  ex¬ 
tracts  state/event  finite-state  models  from  C  programs  automatically  via  predicate  ab¬ 
straction  [28,  3].  Our  experiments  with  a  piece  of  robot  controller  software  resulted  in 
the  detection  of  a  complicated  race  condition  error. 

The  rest  of  this  article  is  organized  as  follows.  In  Section  2  we  summarize  related 
work.  This  is  followed  by  some  preliminary  definitions  defined  in  Section  3.  In  Sec¬ 
tion  4  we  present  the  SE-AI2  logic,  followed  by  model  checking,  counterexample  vali¬ 
dation  and  abstraction  refinement  procedures  described  in  Section  5.  Finally,  we  give  a 
brief  overview  of  the  application  of  our  techniques  in  Section  6. 
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2  Related  Work 

Extensions  of  temporal  logics  to  increase  the  expressiveness  of  temporal  operators  have 
been  proposed  by  various  authors  [8,  32,  30,  31,  29,  13].  Wolper  [32]  and  Vardi  and 
Wolper  [31]  extended  LTL  by  regular  expressions  and  Biichi  automata  respectively. 
Vardi  and  Wolper  [30]  and  Thomas  [29]  have  proposed  extended  branching-time  log¬ 
ics,  but  have  not  addressed  model  checking.  Clarke  et  al.  [8]  describe  the  logic  ECTL 
that  similarly  to  our  work  considers  ^-regular  automata  in  the  context  of  branching-time 
logic.  However,  this  work  does  not  deal  with  abstraction  refinement  or  compositional 
methods.  Clarke  et  al.  [11]  define  a  class  Afl  of  universal  branching  logics  (cf.  Sec¬ 
tion  1)  for  a  systematic  study  of  the  complexity  and  completeness  of  counterexamples 
in  model  checking.  The  work  of  [11],  however,  does  not  define  a  model  checking  al¬ 
gorithm  for  Afl.  Our  work  extends  the  Afl  logic  with  the  combined  state/event  expres¬ 
siveness  and  provides  a  model  checking  algorithm  for  SE-A  <7  which  also  applies  to 
Afl. 

State/event-based  notations  have  been  explored  by  a  number  of  authors  [25,  18,  17, 
2] .  The  novelty  of  our  approach  lies  in  the  way  in  which  we  efficiently  integrate  an  ex¬ 
pressive  state/event  formalism  with  powerful  state  space  reduction  techniques,  namely 
CEGAR  and  compositional  reasoning.  In  this  respect,  not  only  do  we  substantially  ex¬ 
tend  the  expressiveness  of  the  state/event  linear  temporal  logic  SE-LTL  presented  in  [2], 
but  we  also  show  how  to  validate  branching  ( tree -like)  counterexamples  in  a  composi¬ 
tional  manner,  based  on  new  results  relating  simulation  and  weak  simulation  relations 
for  parallel  processes  (see  Theorem  4  in  Section  5). 

The  formalization  of  a  general  notion  of  abstraction  first  appeared  in  [12],  The 
abstractions  used  in  our  approach  are  conservative.  They  are  guaranteed  to  preserve 
‘undesirable’  properties  of  the  system  (e.g.,  [19,  9]).  Conservative  abstractions  usually 
lead  to  significant  reductions  in  the  state  space  but  in  general  require  an  iterated  ab¬ 
straction  refinement  mechanism  (such  as  CEGAR)  in  order  to  establish  specification 
satisfaction.  CEGAR  has  been  used,  among  others,  in  [24]  (in  non-automated  form), 
and  [1,  26,  21,  15,  6,  10].  In  particular,  CEGAR-based  schemes  have  been  used  for  the 
verification  of  safety  properties  [1,  7,  15,  3]  as  well  as  liveness  [2]  properties. 

Compositionality  and  abstraction  have  been  extensively  studied  in  process  algebra 
(e.g.,  [16,  23,  27]).  Abstraction  and  compositional  reasoning  have  been  combined  [4] 
within  a  single  CEGAR  scheme  to  verify  safety  properties  of  concurrent  C  programs. 


3  Preliminaries 

Definition  1  (Labeled  Kripke  Structure).  A  labeled  Kripke  structure  (LKS)  is  a  6- 
tuple  (S ,  init ,  AP ,  C,  E,  T)  where  (i)  S  is  a  finite  non-empty  set  of  states,  (ii)  init  G  S 
is  an  initial  state,  (Hi)  AP  is  a  finite  set  of  atomic  state  propositions,  (iv)  C  :  S  — >  2AP 
is  a  state-labeling  function,  (v)  E  is  a  finite  set  of  actions  (alphabet)  and  (vi)  T  C 
S  x  E  x  S  is  a  transition  relation. 

Given  an  LKS  M  =  (S ,init,  AP ,  C,  E,  T),  we  write  S(M),  init(M),  AP(M), 
C(M),  E(M)  and  T(M)  to  mean  S,  init,  AP,  C,  E  and  T  respectively.  Given  s,  s'  € 


S  and  a  £  £  we  write  s  — s'  to  mean  ( s ,  a,  s')  £  T.  Also,  let  Succ(s,  a)  =  {s'  £ 
S  |  s  —>  s'}  and  Enabled(s)  =  {a  £  £  \  Succ(s,  a)  ^  0}.  Finally,  a  path  of  M  is 
an  infinite  sequence  of  consecutive  transitions  so  — ^  si  — ^  s 2  — A  ....  Note  that  we 
do  not  require  paths  to  begin  with  init. 

Definition  2  (Parallel  Composition).  Let  M\  and  M2  be  two  LKSs  such  that 
AP(Mi)  D  AP(M2)  =  0.  Then  the  parallel  composition  of  Mi  and  M2,  denoted 
by  Mi  || M2,  is  an  LKS  obeying  the  following  conditions:  (i)  S (M1WM2)  =  S(Mf)  x 
S(M2),  (H)  init(Mi\\M2)  =  (init  (Mi),  init  (M2)),  (Hi)  AP(Mi\\M2)  =  AP(Mi)  U 
AP(Mf),  and  (iv)  £(Mi\\M2)  =  £(Mi)U  £(M2).  Moreover,  for  all  si,  s^  £  S(Mi), 
s2,  s'2  £  S(M2),  and  a  £  £(Mi\\M2),  the  labeling  function  C(Mf\\M2)  and  the  tran¬ 
sition  relation  T(Mi||M2)  are  defined  as  follows: 

-  £(M1||M2)((si,s2))  =£(M1)(s1)u£(M2)(s2). 

-  If  Si  — s[  and  s2  — s2  then  (si,  s2)  — (s'i,  S2). 

-  If  s  1  — s[  and  a  fL  £(M2)  then  (si,s2)  — (si,s2). 

-  If  82  — — >  s2  and  a  £(Mf)  then  (si,S2)  — (si,,®^)- 

This  notion  of  parallel  composition  is  derived  from  CSP  [16,  27];  it  is  commutative 
and  associative,  so  that  no  parentheses  are  needed  when  composing  more  than  two 
LKSs  together. 

Definition3  (Simulation).  Let  Mi  and  M2  be  LKSs  with  £(Mf)  =  A,' ( A/ 2 )  =  £, 
and  AP(M2)  =  AP(Mf).  A  relation  R  C  S(Mf)  x  S(M2)  is  said  to  be  a  simulation 
relation  iff  it  satisfies  the  following  conditions: 

1.  If(si,s2)  £  R  then  C(Mi)(s\)  =  C(M2)(s2). 

2.  For  any  si^  £  S(Mf),  s2  £  S(M2),  and  a  £  £,  if(si,s2)  £  Rand  si  — s^ 
then  there  exists  s'2  £  S(M2)  such  that  s2  —A  s2  and  (s^,  Sj)  €  R, 

For  two  LKSs  M\  and  M2,  if  there  exists  a  simulation  relation  R  such  that 
(init(Mi),  init(M2))  £  R  then  we  say  that  Mi  is  simulated  by  M2  and  denote  this 
by  Mi  ^  M2.  The  following  is  well-known  [23]: 

Theorem  1.  Let  Mi, . . . ,  Mn,  N-, , .  Nn  be  LKSs  such  that  Na  ^  M,  for  1  <  i  <  n. 
Then  (JVi|| .. .  ||JV„)  <  (Mi||  . . .  ||M„). 


In  our  framework,  (existential)  abstractions  are  obtained  by  ‘lumping’  together 
states  of  a  concrete  LKSs:  abstract  states  are  disjoint  sets  of  concrete  states;  cf.  [9]. 
In  the  remainder  of  this  paper,  we  often  use  the  letter  M  to  denote  a  concrete  LKS  and 
its  hatted  counterpart  M  to  denote  an  abstract  LKS.  Note  that  an  abstraction  M  of  M  is 
entirely  determined  by  an  equivalence  relation  R  C  S(M)  x  S(M).  We  only  consider 
admissible  equivalence  relations,  i.e.,  we  require  that  for  all  s,s'  £  S(M),  whenever 
(s,  s')  £  R  then  C(M)(s)  =  C(M)(s').  Given  a  state  s  £  S(M),  we  denote  its  corre¬ 
sponding  equivalence  class  by  [s] R  (or  simply  [s]  when  R  is  clear  from  context.) 
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Definition  4  (Abstraction).  Let  M  be  an  LKS  and  R  be  an  admissible  equivalence 
relation  on  S(M).  Then  MR  is  the  abstract  quotient  LKS  induced  by  R  such  that 
(i)  S(MR)  =  {[«]  |  s  £  S(M)},  (ii)  init(MR)  =  [init(M)],  (Hi)  AP(MR)  = 
AP(M),  (iv)  for  all  [s]  £  S(MR),  C(MR)([s\)  —  £(Ad)(s)  (well-defined  since  R 
is  admissible),  (v)  £(MR)  =  £(M),  and  (vi)  T(MR)  =  {([s],  a,  [s'])  |  ( s,a,s ')  £ 
T(M)}. 

For  s  £  S(AI)  and  a  £  £(M),  the  set  of  abstract  successors  of  s  along  a  is  defined 
to  be  AbsSucc(s,  a)  =  {[s']  £  MR  \  (s,  a,  s')  £  T(M)}. 

It  is  easy  to  see  that  for  any  M  and  R,  AI  f  M R.  Combining  this  with  Theorem  1 
we  get  the  following  result. 

Lemma  1.  Let  Adi , . . . ,  Mn  be  LKSs  and  R  \ , . . . ,  Rn  be  equivalence  relations.  Then 
(Mi\\  . . .  \\Mn)  <  (MRl  ||  . . .  \\MRn). 

4  The  Logic  SE-AJ? 

Following  [11],  we  define  a  universal  branching-time  logic  called  State-Event  Universal 
Logic  (SE-Ai?).  The  logic  is  interpreted  over  LKSs  and  can  be  used  to  specify  proper¬ 
ties  involving  both  data  and  actions  in  a  natural  manner.  SE-Ai?  is  defined  in  negation 
normal  form,  i.e.,  negations  are  only  applied  to  atomic  propositions.  Unlike  ACTL  or 
ACTL*,  it  does  not  have  a  fixed  set  of  operators.  Rather,  any  w- regular  language  can 
serve  as  a  temporal  operator.  Since  the  logic  is  universal,  every  such  operator  is  pre¬ 
ceded  by  a  universal  path  quantifier  A. 

Similarly  to  usual  temporal  operators,  the  new  operators  are  applied  to  other  formu¬ 
las  in  the  logic.  Syntactically,  this  is  done  by  defining  an  w-regular  language  O  over  a 
set  of  markers  that  serve  as  placeholders  for  the  formulas  to  which  O  is  applied.  Since 
SE-Ai?  is  aimed  at  specifying  both  actions  and  data,  its  operators  can  be  applied  to 
subsets  of  actions  as  well  as  formulas  over  atomic  propositions. 

Formally,  let  Mark  =  {mi,  m2, . . .  }  be  a  denumerable  set  of  markers  and  let  m  = 
{mi, . . .  ,  m„}  be  a  finite  subset  of  Mark.  Let  O  be  an  w-regular  language  over  the 
alphabet  2m.  The  corresponding  n-ary  temporal  operator  will  be  denoted  by  O.  Let  AP 
be  a  set  of  atomic  propositions  and  £  be  a  set  of  actions.  Then  the  syntax  of  SE-Ai?  is 
defined  inductively  as  follows. 

-  If  p  £  AP  then  p  and  -p  are  formulas. 

-  If  and  p2  are  formulas  then  so  are  pi  V  P2  and  p\  /\p2- 

-  Let  O  be  an  n-ary  temporal  operator  and  for  1  <  i  <  n,  p,  be  either  a  formula  or 

a  subset  of  £.  Then  AO(^i, . . .  ,  pn)  is  a  formula. 

The  semantics  of  SE-Ai?  is  defined  over  LKSs.  More  precisely,  given  an  SE-Ai? 

formula  p,  an  LKS  M,  and  s  £  S(M)  we  write  M,  s  |=  p  to  mean  that  s  satisfies  p, 

defined  inductively  as  follows: 

-  For  p  £  AP,  Ad,  s  (=  p  iff  p  £  £(s)  and  M,  s  \=  -<p  iff  p  ^  £(s). 

-  M,s  \=  p  1  V  P2  iff  Ad,  s  \=  pi  or  M,  s  \=  p2- 

-  M,s  \=  p  1  A  P2  iff  M,  s  \=  pi  and  Ad,  s  |=  p2- 
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-  M,  s  \=  AO(pi, . . .  ,  ipn)  iff  for  every  path  tt  starting  from  s,  we  have  M,  tt  \= 

0(^1,...  ,  (pn)  [as  defined  below]. 

Let  7r  =  so  — ^  Si  — ^  s 2  .  •  •  be  a  path  of  M  and  tt1  be  its  suffix  starting  from 
Si.  We  first  define  when  tt  satisfies  an  argument  pk  of  the  operator  O.  M,  tt  |=  pk  iff 
either  p^  C  E  and  cto  G  Pk,  °r  p^  is  a  formula  and  M,  So  \=  Pk- 

Let  0((^i, . . .  ,pn)  be  as  above,  and  O  be  the  w-regular  language  corresponding 
to  O.  Recall  that  the  alphabet  of  O  is  2m  where  to  =  {mi, . . .  ,  mn}.  Then  M,  tt  |= 
0(pi,  . . .  ,  <pk)  iff  there  is  a  word  o  =  o±02  ■■■GO  such  that  for  all  i  >  0  and  for  all 
TOfc  G  Oi,  M ,  tt1  |=  lpk- 

Lastly,  we  write  M  |=  p  to  mean  M,  init(M)  |=  p. 

As  an  example,  let  O  =  {mi,  TO2}*{toi,  TO3}{to4}{}u’  be  an  w-regular  expression. 
Then  0(<p,  {a},  {6},  ip)  represents  an  ‘until’  operator  that  captures  paths  in  which  pUip 
holds  along  a  sequence  of  a  actions  ending  with  the  action  b.  This  example  demonstrates 
that  in  addition  to  formulas  <pk  that  should  hold,  the  logic  SB- A  <7  allows  us  to  restrict 
the  actions  that  can  be  performed,  by  using  p/.  C  E. 

An  important  property  of  the  logic  SE-A17  is  that  it  is  preserved  by  the  simulation 
relation.  This  is  formalized  by  the  following  lemma. 

Lemma  2.  Given  two  LKSs  M\  and  M2  and  an  SE-AO  formula  p,  if  M2  \=  p  and 
M\  ^  M2,  then  M\  \=  p. 


5  Compositional  CEGAR  Verification  for  SE-AJ? 

Let  Mi, . . .  ,  Mn  be  LKSs  and  let  p  be  an  SE-A17  formula.  In  seeking  to  determine 
whether  M  =  Mi\\  . . .  \\Mn  |=  p,  we  wish  to  avoid  constructing  the  full  LKS  M,  since 
the  size  of  its  state  space  increases  exponentially  with  the  number  of  its  components.  We 
therefore  first  compute  a  (typically  much  smaller)  abstraction  M,  of  each  component 
Mi,  and  only  then  check  whether  M  =  M\  || . . .  || Mn  |=  p.  If  this  holds,  we  conclude 
that  M  |=  p  as  well.  Otherwise,  we  extract  from  M  a  counterexample  C  violating  p, 
and  check  whether  this  counterexample  is  valid,  i.e.,  whether  it  corresponds  to  a  real 
execution  of  M.  In  the  affirmative,  we  conclude  that  M  \/=  p.  Otherwise,  we  use  this 
spurious  counterexample  to  refine  our  abstractions,  and  repeat  the  process  until  either 
a  real  counterexample  is  found  or  the  property  is  shown  to  hold.  The  main  strength  of 
our  approach  is  the  fact  that  the  abstraction,  counterexample-validation,  and  refinement 
steps  are  all  carried  out  one  component  at  a  time,  so  that  it  is  never  necessary  to  construct 
the  full  state  space  of  the  concrete  system  M. 

5.1  Model  Checking 

Let  M  be  an  LKS1,  s  G  S(M),  and  p  be  an  SB- A  <7  formula.  We  give  a  model-checking 
algorithm  to  determine  whether  M,  s  \=  p.  We  proceed  by  structural  induction  on  p, 

1  In  the  interests  of  consistency  and  clarity,  we  present  our  approach  in  both  this  section  and  the 
next  in  terms  of  the  abstract  LKS  M,  although  it  naturally  applies  to  concrete  systems  as  well. 


11 


starting  with  the  case  in  which  p  is  of  the  form  AO(yi, . . .  ,  pn).  Let  O  be  the  ir¬ 
regular  language  over  fn  =  {to i,  . . .  ,  mn }  corresponding  to  O.  The  algorithm  consists 
of  the  following  steps:  (i)  compute  from  M  and  s  the  ‘smallest’  cr-regular  language  Os 
over  the  alphabet  2m  such  that  M,  s  \=  AO s(pi, . . .  ,  pn),  and  (ii)  check  whether  Os 
is  ‘subsumed’  by  O. 

Intuitively,  the  idea  is  to  interpret  each  path  it  in  M  as  a  sequence  of  maximal 
subsets  of  formulas  (among  p\, . . .  ,  pn)  that  hold  along  n.  We  then  check  whether 
replacing  each  pj  with  the  corresponding  marker  m:1  results  in  a  sequence  belonging  to 
O. 

In  order  to  do  so  we  build  an  automaton  Bs  obtained  from  M  by  replacing  every 
action  a,  in  transitions  of  the  form  (q,  a ,  q'),  with  the  subset  of  markers  corresponding 
to  the  formulas  that  hold  for  the  transition.  More  precisely,  if  pj  is  an  SE-A17  formula, 
we  include  the  corresponding  marker  nij  provided  that  M ,  q  |=  pj,  and  if  pj  C  S(M), 
we  include  rrij  if  a  £  pj . 

To  make  this  more  rigorous,  we  first  recall  the  notion  of  Biichi  automata: 

Definition  5  (Biichi  Automaton).  A  Biichi  automaton  is  a  5-tuple  B  = 
(S,  /,  E,  T,Acc)  where  (i)  S  is  a  finite  non-empty  set  of  states,  (ii)  I  C  S  is  a  set 
of  initial  states,  ( iii )  B  is  a  finite  alphabet,  (iv)  TCSxExS  is  a  transition  relation, 
and  (v)  Acc  C  S  is  a  set  of  accepting  states. 

A  path  of  B  is  an  infinite  sequence  tt  =  q$  — L  q1  . . .  such  that  qo  £  I,  and 
for  every  i,  ( q cq,  qi+ 1)  £  T.  tt  is  accepting  if  it  visits  the  set  Acc  infinitely  often. 

The  language  Os  is  represented  by  a  Biichi  automaton  Bs,  which  is  derived  from 
M  as  follows:  Bs  =  (Ss ,  I s ,  Bs ,  Ts,Accs),  where  (i)  Ss  =  S(M),  (ii)  Is  =  {s}, 
(iii)  Bs  =  2m,  (iv)  Accs  =  S(M),  and  (v)  Ts  is  the  set  of  transitions  such  that  for 
each  (q,  a,  q')  £  T(M),  Ts  includes  a  transition  (q,  fn! ,  q')  such  that  m!  C  to  and  the 
following  condition  holds:  for  0  <  j  <  n,  m.j  £  fn'  iff  either  pj  C  B(M)  and  a  £  Pj 
or  pj  is  a  formula  and  M,  q  \=  Pj. 

Note  that  in  order  to  construct  Bs  we  need  to  know  whether  M,  q  |=  p,  for  every 
q  £  S(M)  and  every  i  £  {1, . . . ,  n}.  This  is  achieved  by  invoking  the  model  checking 
algorithm  recursively. 

In  the  second  step,  we  must  check  whether  Os  is  subsumed  by  ().  Observe  first 
that  it  is  not  enough  to  simply  check  whether  Os  C  ().  That  is  because  O  and  Os 
are  defined  over  the  alphabet  2m,  and  SE-Af?  is  ‘monotonic’  (cf.  [11]).  In  order  to 
define  monotonicity  of  SE-A.O  we  consider  two  tu-regular  languages  O  and  O'  over 
fn  that  satisfy:  for  every  w  =  W\W2  ■■■  £  O  there  exists  w'  =  w[ vj'2  •  •  •  £  O'  such 
that  for  every  i  >  1,  C  w[.  Then  for  every  model  M,  if  M  |=  AO'(pi, . . .  ,  p^) 
then  M  |=  AO(^i,...  ,Pk)-  F°r  example,  let  fn  =  {toi, m2, TO3},  and  suppose 
that  O  =  {to2}“  and  that  Os  =  {toi,TO2}“.  Then  M,s  [=  AOs(pi,  P2,  pf)  and, 
thanks  to  monotonicity,  M,s  \=  AO(pi,  p2,  pf)  as  well,  even  though  Os  O.  To 
overcome  this  problem,  we  check  whether  Os  C  {0,where{0  =  ({to2}+{toi,  TO2}+ 
{to-2,  TO3}  +  {to  1,  to 2, 7713})“.  The  language  {O  is  called  the  monotonic  closure  of  O 
and,  intuitively,  is  obtained  by  replacing  in  O  every  occurrence  of  a  set  of  markers 
fi%'  C  to  by  the  sum  of  all  the  sets  of  markers  fn"  such  that  fn'  C  fn"  C  fn.  Formally: 
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Definition  6  (Monotonic  Closure).  Let  B  =  ( 7^, 2m,  T#,  Acc# )  be  a  Biichi 
automaton  accepting  some  co-regular  language  O.  The  monotonic  closure  of 
O  is  the  co-regular  language  accepted  by  the  Biichi  automaton  ]B  = 
(S-[b,  2m,  T^b,  Acc^b)  constructed  from  B  as  follows:  S^b  =  Sb,  I-\b  =  Ib, 

AcCfB  =  Accb,  and  T^b  =  {(<? ,rn",q')  \  3 rn!  C  m" .  ( q,m',q ')  €  7s}. 

The  correctness  of  our  two-step  procedure  is  encapsulated  by  the  following: 
Theorem  2.  M,  s  |=  AO(y1, ...  ,<pn)  ijfOs  C  |0. 

The  other  cases  (in  which  <p  is  not  an  ^-regular  operator)  are  straightforward.  To 
summarize,  M,  s  \=  cp  iff: 

-  p  G  £(s)  if  ip  =  p  and  p  ^  £(s)  if  ip  =  ->p,  where  p  G  AP. 

-  M,  s  1=  ip i  and  M,  s  |=  p2  if  =  Pi  A  p2- 

-  M,  s  1=  ip i  or  M,  s  \=  p2  if  P  =  Pi  V  P2- 

-  Os  C  ]0  if  p  =  AO(tpi, . . .  ,  (fin),  where  Os  and  |0  are  defined  as  above. 


5.2  Counterexample  Generation 

Let  M  be  an  LKS,  s  G  S(M),  and  ip  be  an  SE-A17  formula.  Suppose  that  AT,  s  P- 
In  this  section,  we  show  how  to  compute  a  counterexample  to  cp,  i.e.,  a  fragment  of  M 
beginning  at  state  s  that  violates  <p.  As  for  the  model-checking  algorithm  of  SE-A12, 
we  give  a  recursive  procedure: 

-  If  ip  =  ipi  V  p2,  then  compute  counterexamples  C\  and  C2  to  cpi  and  <p2  re¬ 
spectively,  and  glue  C\  and  C2  at  their  initial  states.  Indeed,  M,  s  \f=  p\  V  (p2  iff 

M,  s  ip\  and  M,  s  ^  cp 

-  If  cp  =  pi  A  <p2,  then  compute  a  counterexample  either  to  ipi  or  to  <p2.  Indeed, 
M,  s  <pi  A  (p2  iff  M,s  £1  or  M,  s  \j=  p2. 

-  If  ip  =  AO(<pi, . . .  ,<pn),  proceed  as  follows.  Since  M,s  p,  there  exists  a 

pattern  in  Os  that  is  not  in  |0.  Let  7r  =  so  — ^  Si  — '■*  ■  ■  .  (where  so  =  s)  be 
an  accepting  path  of  Bs  such  that  the  w-word  m  fiTii . . .  does  not  belong  to  ] O. 
Recall  that  by  the  definition  of  the  automaton  Bs ,  each  transition  .s,  f  jrl  y’,, 
corresponds  to  a  transition  st  s'  in  T(M).  Let  therefore  so  Si  — ...  be 
the  corresponding  path  of  n  in  M.  This  path  then  clearly  violates  0(pi, . . .  ,  ipn). 
To  compute  a  counterexample  to  <p,  it  suffices  to  take  this  path  and  to  glue  to  each 
state  Si  counterexamples  to  all  formulas  ipj  such  that  M,  Si  Pj.  (Note  that,  while 
the  path  is  infinite,  it  comprises  of  only  finitely  many  distinct  states.) 

Owing  to  the  direct  manner  in  which  a  counterexample  C  is  extracted  from  an  LKS 
M,  there  is  a  canonical  mapping  p  :  S(C)  —>  S(M)  which  satisfies  the  following 
conditions:  (i)  p{init{C))  =  init(M),  (ii)  for  all  q  G  5(C),  C(C){q)  = 
and  (iii)  if  ( q,a,q ')  G  T(C),  then  (p(q),a,  p(q'))  G  T(M).  We  shall  make  use  of  p 
later  on  in  the  refinement  step. 
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Example  1.  Figure  1  (a)  shows  an  LKS  M  with  AP(M )  =  {p,q}.  £(M)  =  {a,  6}, 
and  initial  state  51.  (b)  shows  the  abstract  quotient  LKS  MR  induced  by  the  equivalence 
relation  R  having  equivalence  classes  {51,  52}  and  {53,  54}.  Let  ip  be  the  formula  (in 
CTLMike  notation)  AG({a}  =>■  A (p  V  Xp  V  XXp)).  p  asserts  that  on  all  paths, 
whenever  the  action  a  occurs  from  a  state  s,  then  the  atomic  proposition  p  either  holds 
at  s  or,  along  any  path  starting  at  s,  in  one  of  the  next  two  states.  It  is  not  hard  to  see 
that  Mr  p,  and  indeed  (c)  shows  a  counterexample  C  illustrating  this.  The  dotted 
arrows  from  C  to  MR  represent  the  canonical  mapping  p. 


P 


(a)  (b)  (c)  (d) 

Fig.  1.  (a)  concrete  LKS  M ;  (b)  Abstract  LKS  MR\  (c)  counterexample  C;  (d)  refined  abstract 
LKS  Mr'. 


Observe,  however,  that  the  counterexample  is  in  fact  spurious.  Indeed,  the  abstract 
LKS  MR  pictured  in  (d)  is  a  refinement  of  MR  induced  by  the  equivalence  relation  R' 
having  equivalence  classes  {51},  {52},  and  {53,  54}.  Since  MR  |=  p,  we  conclude 
that  M  |=  p  as  well. 

5.3  Counterexample  Validation 

Suppose  that  M,  s  p  for  some  SE-Ai?  formula  p,  and  let  C  he  a  counterexample 
to  p.  Recall  that  M  is  an  abstraction  of  a  concrete  LKS  M.  We  say  that  C  is  a  valid 
counterexample  iff  C  ^  M.  Indeed,  from  Lemma  2  we  get: 

Theorem  3.  Let  p  be  an  SE-AQ  formula.  If  C  ^  M  and  C  \f=  p,  then  M  \f=  p. 

Intuitively,  this  holds  because  SE-A12  formulas  describe  properties  that  are  quantified 
over  all  possible  paths  of  the  structure. 

This  result  suggests  a  way  to  formally  check  whether  a  counterexample  C  is  valid 
for  a  concrete  system  M  or  not.  However,  as  mentioned  earlier,  when  M  is  a  concurrent 
C  program  built  of  components  Mi, . . . ,  Mn,  we  are  faced  with  the  problem  that  even 
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if  each  component  Mt  has  a  finite  state  space,  constructing  the  state  space  of  M  might 
be  prohibitive  in  practice  due  to  exponential  blowup.  To  overcome  this  problem,  we 
propose  to  check  if  the  concrete  system  M  simulates  the  counterexample  C  in  a  com¬ 
positional  way  by  checking  whether  for  every  i  G  {1, . . .  ,  n}.  Mi  weakly  simulates  the 
ith  projection  of  C . 

Definition  7  (ith  Projection).  Let  M  =  M\  ||  . . .  \\Mn  be  a  parallel  composition  of 
LKSs,  and  let  C  be  a  further  LKS.  For  any  i  G  {1, . . . ,  n},  C  [,  is  the  LKS  defined  by: 
(i)  S(C\i )  =  S(C),  (ii)  init{C  \i)  =  init(C),  (Hi)  AP(C  (,;)  =  AP(Mf),  (iv)  for 
any  s  G  5(5^),  ^(C^Xs)  =  C(C)(s)  fl  C(Mf),  (v)  E(C\i)  =  S(M-)  U  {r}2,  and 
(vi)  T(C\i)  is  defined  as  follows: 

-  If  (s,  a,  s')  G  T(C)  and  a  G  E(Mf)  then  (s,  a,  s')  G  T(C'fj). 

-  If  (s,  a,  s')  G  T(C)  and  a  £  E(Mf)  then  ( s,t,s ')  G  T(C\i). 

The  introduction  of  r  actions  also  naturally  leads  to  a  weak  version  of  simulation, 
which  we  define  next  specialized  to  the  case  in  which  only  the  system  being  simulated 
is  capable  of  performing  r’s. 

Definition  8  (Weak  Simulation).  Let  C  and  M  be  LKSs  such  that  E(C)  =  E(M)  U 

{t}  and  AP(C)  =  AP(M).  A  relation  R  C  S(C)  x  S(M)  is  said  to  be  a  weak 

simulation  relation  iff  R  satisfies  the  following  conditions: 

1.  If  (si ,  S2)  G  Rthen  C(C)(s\)  =  C(M)(sf). 

2.  For  any  si ,  G  S(C),  S2  G  S(M),  and  a  G  E(C)  \  {r},  if  (s\,S2)  G  R  and 
Si  — ^  s'i  then  there  exists  s'2  G  S(M)  such  that  s 2  — —+  s'2  and  (sX  S2)  G  R. 

3.  For  any  ,Si ,  sj  G  S(C)  and  S2  G  S(M),  if  (si,S2)  G  R  and  Si  — sj^  then 
(si,  s 2)  G  R. 

For  two  LKSs  C  and  M,  if  there  exists  a  weak  simulation  relation  R  such  that 
( initfC ),  init(M))  G  R  then  we  say  that  C  is  weakly  simulated  by  M  and  denote  this 
by  C  4  M. 

The  following  key  result  forms  the  basis  of  our  compositional  approach  to  coun¬ 
terexample  validation. 

Theorem  4  (Compositionality).  Let  Mi, ,  Mn  be  LKSs  and  let  C  be  a  further  LKS. 
Then  C  ^  (Mi||  . . .  ||M„)  iff  C\i  ==!  Mj  for  1  <  i  <  n. 

Proof.  (Sketch.)  Consider  the  case  n  =  2;  the  general  case  is  handled  in  a  similar 
manner.  Suppose  first  that  C  ^  M1||M2.  Let  R  C  S(C)  x  S(Mi\\M2)  be  a  cor¬ 
responding  simulation  relation.  Define  R\  =  {(s,  Si)  |  3s2  .  (s,  (si,S2))  G  R}.  and 
f?2  =  {(s,  S2)  |  3si.  (s,  (si,  S2))  G  R}.  It  is  readily  verified  that  R\  (resp.  R2)  is  a  weak 
simulation  relation  between  C\1  and  M\  (resp.  C'|‘2  and  M2).  Therefore  C\1  f  Mi  and 

C\2  M2. 

2  We  assume  that  r  is  a  fresh  action  not  otherwise  present  in  the  alphabet  of  LKSs. 
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In  the  other  direction,  let  Ri  and  R2  be  two  weak  simulation  relations  witnessing 
C\ i  4  Mi  and  C\2  4  M2  respectively.  Let  R  =  {(s,  (si,s2))  |  (s, Si)  €  R\  A 
(s,  S2)  £  i?2}-  It  is  easy  to  check  that  R  is  a  simulation  relation  between  C  and  M\ \\M2, 
as  required.  □ 

Putting  everything  together,  we  get: 

Corollary  1.  Let  M\ , . . . ,  Mn  be  LKSs,  <p  an  SE-AfI  formula,  and  C  an  abstract  coun¬ 
terexample  to  All  II  •  •  •  ||  Ain  |=  V-  Then  C  is  a  valid  counterexample  iff  C\,  4  Af  for 
every  i  £  {1, . . .  ,  n}. 

Checking  whether  C\i  =4  M,  is  done  in  a  standard  manner  by  a  fixpoint  computa¬ 
tion  of  the  maximal  weak  simulation  relation  between  C\j  and  A/,. 

5.4  Abstraction  Refinement 

We  now  describe  our  counterexample-guided  refinement  procedure.  Suppose  that  C  f 
M ;  then  the  counterexample  C  is  spurious,  and  we  need  to  refine  our  abstraction  M  = 
Mi||  . . .  ||M„  .  We  achieve  this  by  examining  each  of  the  abstractions  Alt  individually: 
for  i  £  {1, . . .  ,  n},  we  refine  Mi  if  C\i  ^  Af.  To  this  end,  fix  j  an  index  in  {1, . . . ,  n} 
such  that  C\j  ^  Mj.  Recall  that  Mj  is  a  quotient  LKS  of  the  form  A I^\  where  Rj  is 
an  equivalence  relation  on  S(Mj).  Our  refinement  step  consists  in  producing  a  strictly 
finer  equivalence  relation  than  Rj. 

Recall  the  canonical  mapping  p  :  S(C)  — >  S(AI )  defined  in  Section  5.2,  and  let 
Pj  :  S(C)  — >  S(Mj)  be  its  corresponding  jth  projection.  We  can  show  that: 


Lemma  3.  Suppose  that  for  any  s  G  S(C),  any  a  £  Enabled(s),  and  any  s\,s2  £ 
Pj(s),  we  have  that  AbsSucc{s\,a)  =  AbsSucc(s2,a).  Then  Cfj  4Mr 

Since,  by  assumption,  C\j  ^  Mj,  it  follows  from  Lemma  3  that  there  exist  a 
state  s  £  S(C),  an  action  a  £  Enabled(s),  and  two  states  Si,S2  £  Pj(s )  such  that 
AbsSucc(s  1,  a)  AbsSucc(s2,  a).  Let  f?'  be  a  new  equivalence  relation  derived  from 
Rj  by  sub-partitioning  the  equivalence  class  Pj(s)  as  follows:  q,  q'  belong  to  the  same 
sub-partition  iff  AbsSucc(q,a)  =  AbsSucc(q' ,  a).  R'j  is  clearly  a  proper  refinement 
of  Rj  (i.e.  the  number  of  Rb  will  be  strictly  greater  than  that  of  Rj),  and  is  moreover 
admissible  since  Rj  was  admissible.  It  should  be  noted  that  the  refined  abstract  LKS 

Ft'-  ^ 

M-  3  is  however  not  guaranteed  to  refute  the  (projected)  counterexample  C\j.  For  ex¬ 
ample,  Figure  1  shows  the  abstract  LKS  AIR  and  its  refinement  M R  which,  in  this 
case,  refutes  the  spurious  counterexample  C. 

Since  the  refinement  procedure  always  yields  a  proper  refinement  and  since  each 
LKS  is  finite,  the  CEGAR-based  SE-A17  verification  algorithm  always  terminates.  In 
particular,  spurious  counterexamples  are  always  eventually  refuted. 
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6  Applications  and  Future  Work 

We  implemented  our  compositional  approach  for  verification  of  branching-time  logics 
in  the  MAGIC  tool,  developed  at  Carnegie  Mellon  [5,  22],  MAGIC  extracts  finite  LKS 
models  from  C  programs.  We  applied  the  SE-AJ2  model  checking  compositional  loop 
for  verification  of  a  set  of  benchmarks  whose  abstract  models  were  automatically  ex¬ 
tracted  by  MAGIC.  We  verified  code  provided  by  our  industrial  partner,  one  of  the 
market  leading  robot  manufacturers  worldwide.  We  analyzed  the  IPC  (InterProcess 
Communication)  protocol  used  to  mediate  communication  in  a  multi-threaded  robot 
controller  software.  We  model  checked  the  synchronous  communication  portion  of  the 
IPC  protocol  which  was  implemented  in  terms  of  messages  passed  between  queues 
owned  by  different  threads.  We  specified  a  set  of  more  than  20  SE-AI7  properties  most 
of  which  were  expressed  using  both  states  and  events.  That  was  required  to  make  proper 
assertions  on  the  communication  actions  carrying  data. 

We  found  a  bug  in  the  provided  version  of  the  IPC  code  and  reported  it  to  our 
industrial  partner.  The  bug  was  a  race  condition  in  which  a  writer  mistakenly  blocks 
while  trying  to  write  to  a  queue  that  is  not  full.  That  bug  violated  the  property  that  no 
communications  timeout  when  they  could  be  safely  delivered.  It  had  been  undetected 
despite  seven  years  of  industrial  use  of  the  IPC,  including  a  substantial  testing  phase. 

We  are  currently  examining  other  case  studies.  For  future  work,  we  would  also 
like  to  carry  out  a  systematic  evaluation  of  the  expressiveness  of  the  SE-AJ2  logic  in 
comparison  to  other  universal  logics,  estimating  the  complexity  of  our  algorithms  and 
improving  the  methods  presented  in  this  paper. 
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